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Applicant(s) 

SPIELMANN ETAL 


cxanmnGr 
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3623 





Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH{S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

• Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply vAihin the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133), 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )M Responsive to communication(s) filed on 06 June 2005 . 
2b)M This action is FINAL. 2b)n This action is non-final. 

3) n Since this application is in condition for allowance except for fomial matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quay/e, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) S Claim(s) 1-18 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) 0 Claim(s) is/are allowed. 

6) 13 Claim(s) 1-18 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification is objected to by the Examiner. 

10)0 The drawing(s) filed on is/are: a)^ accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 1 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or fomi PTO-152. 

Priority under 35 U.S.C. § 119 

12)n Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (0- 
a)D All b)n Some * c)^ None of: 

1 .□ Certified copies of the priority documents have been received. 

2.n Certified copies of the priority documents have been received in Application No. . 



3.n Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attachment(s) 

1) ^ Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-413) 

2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) Paper No(s)/Mail Date. . 

3) □ Information Disclosure Statement(s) (PTO-1449 or PTO/SB/08) 5) □ Notice of Informal Patent Application (PTO-1 52) 

Paper No(s)/Mail Date . 6) □ Other: . 
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DETAILED ACTION 

1 . The following is a final office action in response to communications received 06/06/05. 
Claims 1, 10, 14, and 16 have been amended. Claims 1-18 are pending. 

Response to Arguments 

2. Applicant's arguments with respect to the claims have been considered but are moot in 
view of the new grounds of rejection, as necessitated by amendment. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 35 1(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

Claims 1-2, 6-10, 12-13, 16, and 18 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Buddie et al. (U.S. 6,912,502). 

4. As per claim 1 , Buddie et al. teaches a method for determining compliance with 
organizational business poHcies associated with a business risk, said method comprising: 

a. the computer receiving a user selection of a business risk element from a business 
risk element list which is displayed to the user, said business risk element list being 
retrieved from a database coupled to said computer (See figure 7, column 10, Une 40- 
column 11, line 5 and Hnes 14-20 and column 13, lines 24-38, wherein the computer 
receives a compliance officer's selection of a risk element/compliance issue); 
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b. in response to the selection of said business risk element, the conqjuter retrieving 
one or more predetermined control procedures, the control procedures identified by an 
administrator as a means for complying with business policies associated with said 
selected risk element (See figure 1, column 2, line 60-column 3, line 25, lines 30-40, line 
52-column 4, line 7, column 9, lines 50-65, column 13, lines 25-40, wherein business 
policies are discusses. See figure 4, column 7, lines 30-65, column 9, lines 10-35, which 
discuss control procedures that members of the business are questioned about); 

c. the computer associating said one or more predetermined control procedures with 
said selected business risk element, said predetermined control procedures being stored in 
said database (See figure 7, column 7, lines 40-60, column 9, lines 34-60, column 10, 
lines 30-55, and column 13, lines 25-37, wherein the control procedures are stored and 
associated with the risk element); 

d. in response to the retrieving of the control procedures, the computer retrieving a 
weight assigned to each one of said predetermined control procedures, said weight being 
stored in said database (See figure 4, column 8, lines 40-55, wherein a weight is 
assigned); 

e. the computer receiving a user selection of a compliance rating for each said 
predetermined control procedure, the rating selected by the user indicating a level of 
compliance with each one of said predetermined control procedures, for each of said 
predetermined control procedures the level of compliance is a subjective rating selected 
from a rigid set of compliance ratings, the same set of compliance ratings is available for 
each of said predetermined control procedures (See figures 4 and 5A, column 7, lines 40- 
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65, column 8, lines 32-55, wherein user selected ratings are provided to the control 
procedures, these indicating a level of compliance); and 

f. the computer calculating a conq^liance score, each compliance score being a 
function of said assigned weights and said compliance rating of said predetermined 
control procedures (See figxire 4, column 8, lines 35-55, wherein a compliance score is 
calculated by the system). 

5. As per claim 2, Buddie et al. discloses wherein said compliance ratings conqjrise at least 
one rating identifying a non- fully compliant control procedure, said method further comprising 
the steps of 

a. for each said control procedure having a non- fully compliant rating, the conqDUter 
receiving a user generated signal indicating whether said non-fuUy compliant control 
procedure is accepted or not accepted (See column 8, line 56-column 9, line 33, wherein 
the not fully compliant procedure is either accepted or not accepted (acted on or not acted 
on)); and 

b. for each of said non- fully compliant control procedure which is indicated as not 
accepted, requiring the user to provide signals for generating an action plan (See column 
5, lines 17-46, column 9, lines 10-35, and column 10, lines 22-32 and 40-55, wherein the 
user enters an action plan in the computer system). 

6. As per claim 6, Buddie et al. discloses associating one or more parameters with each said 
compliance rating (See column 11, lines 60-67, which discloses parameters). 
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7. As per claim 7, Buddie et al. teaches wherein said one or more parameters are selected 
from the group corrqDrising organization, business line, process, and region (See column 11, lines 
60-67, which discloses such parameters). 

8. As per claim 8, Buddie et al. teaches the step of the computer sorting said compliance 
scores by said one or more parameters (See column 11, lines 20-35 and line 60-column 12, line 
5, which discloses sorting the scores). 

9. As per claim 9, Buddie et al. teaches the step of the computer displaying said sorted 
compliance scores (See column 11, lines 20-35 and line 60-column 12, line 5 and lines 40-50, 
wherein reports are displayed). 

10. As per claim 10, Buddie et al. teaches a method for determining compliance with 
organizational business policies associated with a business risk, said method comprising: 

a. a computer receiving a user selection of a business risk element from a business 
risk element list which is displayed to the user on a display terminal of a computer, said 
business risk element list being retrieved from a database coupled to said computer (See 
figure 7, column 10, line 40-column 11, line 5 and lines 14-20and column 13, lines 24- 
38, wherein the computer receives a compliance officer's selection of a risk 
element/compliance issue); 

b. in response to the selection of said business risk element, the computer identifying 
one or more subrisk elements associated with said business risk elements, each subrisk 
element being retrieved from said database (See figure 4, column 8, line 55-column 9, 
line 10, which discloses sub-risk elements); 
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c. for at least one subrisk element, the conrputer retrieving one or more 
predetermined control procedures, the control procedures identified by an administrator 
as a means for business policies associated with said subrisk element (See figure 7, 
column 7, lines 40-60, column 9, lines 34-60, column 10, lines 30-55, and column 13, 
lines 25-37, wherein the control procedures are stored and associated with the element); 

d. the computer associating said one or more control procedures with said subrisk 
element, said control procedures being stored in said database (See figure 7, column 7, 
lines 40-60, column 9, lines 34-60, column 10, lines 30-55, and column 13, lines 25-37, 
wherein the control procedures are stored and associated with the element); 

e. the computer retrieving a weight assigned to each one of said predetermined 
control procedures, said weight being stored in said database (See figure 4, column 8, 
lines 40-55, wherein a weight is assigned); 

f the computer receiving a user selection of a compliance rating for each said 
predetermined control procedure, each said compliance rating is a subjective rating 
selected from a rigid predetermined set of compliance ratings, the same set of compliance 
rating is available for each of said predetermined control procedures including at least 
one rating indicating said control procedure is not fully compliant (See figures 4 and 5A, 
column 7, lines 40-65, column 8, lines 32-55, wherein user selected ratings are provided 
to the control procedures, these indicating a level of compliance); 
g. the computer calculating a compliance score, said compliance score being a 
function of said assigned weights and said compliance rating of said control procedures 
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(See figure 4, column 8, lines 35-55, wherein a compliance score is calculated by the 
system); 

h. for each subrisk, the computer determining whether at least one control procedure 
associated with said subrisk is not fully compliant (See figure 4 and column 7, lines 45- 
62, wherein the high risk areas are determined); 

i. for each subrisk associated with at least one control procedure which is not fully 
compliant, the computer receiving a signal from the user indicating whether said subrisk 
should be accepted or not accepted (See column 8, line 56-column 9, line 33, wherein the 
not fully compliant procedure is either accepted or not accepted (acted on or not acted 
on)); and 

j. for each subrisk which is indicated as not accepted, the computer generating an 
action plan (See column 5, lines 17-46, column 9, lines 10-35, and column 10, lines 22- 
32 and 40-55, wherein the user enters an action plan in the computer system and the 
computer generates a profile for this action plan). 

11. Claims 12 and 13 contain equivalent limitations to claims 6 and 8, respectively, and are 
therefore rejected using the art and rationale as applied above. 

12. Claim 16 is substantially similar to claim 1 and is rejected using the same art and 
rationale as applied above. Buddie et al. further teaches a database and a processor coupled to 
the database (See figures 6-7, column 12, hnes 7-15 and 30-40, and column 13, lines 24-37). 

13. As per claim 18, Buddie et al. teaches a data processing system further comprising a 
computer display coupled to said processor, said processor further being programmed to display 
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said compliance scores on a computer display (See figures 6-7, column 7, lines 40-60, column 
12, lines 1-15 and 30-49, and column 13, lines 24-37), 

Claim Rejections - 35 USC §103 

14. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 3-5, 1 1, 14, 15, and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Buddie et al. (U.S. 6,912,502). 

15. As per claim 3, Buddie et al. teaches wherein said action plan includes a target date, said 
method further comprising the step of the computer expecting a changed compliance score for 
one or more future dates based on said action plan target dates (See column 5, lines 15-30 and 
39-51, column 9, lines 35-50, column 10, lines 23-42, column 11, lines 5-15 and 58-67, which 
discusses target dates). However, while Buddie et al discusses an expectation of decrease in a 
future score, Buddie et al. does not expressly disclose calculating an expected compliance score 
for the future date ahead of time. 

Buddie et al. discloses identifying risk issues that need to be resolved in a timely manner. 
Buddie et al. discloses calculating a current compliance score by utilizing the compliance ratings 
and weights. This compliance score allows the user to identify areas with high-risk scores. The 
user may choose to generate an action plan for risk areas that must be resolved, the resolution 
expected by a target date. The system allows the user to track progress and re-calculate the 
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compliance score at future dates. The user compares the recalculated score to the original in 
hopes of seeing a decrease. Therefore, it would have been obvious to one of ordinary skill in the 
art at the time of the invention to allow the user of Buddie et al to project the conq^liance score 
for a future date utilizing the algorithm and data of the system in order to more efficiently 
communicate the progress of action plan to the user, thus allowing the user to more efficiently 
resolve the issue in a timely manner. See column 1, lines 40-47, which discusses the importance 
of complying with an action plan and see column 10, lines 23-45, which discusses the systems 
need to drive issue resolution and closure in a timely manner. 

16. As per claim 4, Buddie et al. teaches the computer tracking whether said expected 
compliance scores have been met, said tracking including calculating actual compliance scores 
for said target dates (See column 5, lines 15-30 and 39-51, column 9, lines 35-50, column 10, 
lines 23-42, column 11, lines 5-15 and 58-67, which discusses calculating actual compliance 
scores on target dates). 

17. As per claim 5, Buddie et al. teaches the step of the computer displaying action plan 
status as the action plan progresses towards resolution as well as the display of a graph (See 
column 10, lines 20-45 and line 65-column 11, line 5 and line 55-column 12, line 5). Buddie et 
al. further expects risk resolution and expects mitigation of risk, which is recalculated (See9, 
lines 1-10 and 34-60). However, Buddie et al. does not expressly disclose displaying said 
expected compliance scores versus said actual compliance for the target dates. 

Buddie et al. discloses displaying compliance scores, displaying graphs, and generating 
comparisons of previous and current scores. Buddie et al. further discloses tracking and 
displaying status of an action plan. Therefore, it would have been obvious to one of ordinary 
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skill in the art at the time of the invention to graph the expected score versus the actual score in 
order to more efficiently communicate the progress of action plan to the user, thus allowing the 
user to more efficiently resolve the issue in a timely manner. See column 1, lines 40-47, which 
discusses the importance of complying with an action plan and see column 10, lines 23-45, 
which discusses the systems need to drive issue resolution and closure in a timely manner. 

18. Claim 1 1 contains equivalent limitations to claim 3 and is therefore rejected using the art 
and rationale as applied above. 

19. Claim 14 is substantially similar to claims 1 and 2 above and is therefore rejected using 
the same art and rationale as applied above. Furthermore, discloses (g) the computer calculating 
a compliance score at a future date, said expected compliance score being a function of said 
assigned weights, said fully compliant control procedures, and said action plan target dates for 
said non- fully complaint control procedures (See column 5, lines 15-30 and 39-51, column 9, 
lines 35-50, column 10, lines 23-42, column 11, lines 5-15 and 58-67, which discusses target 
dates). However, Buddie et al. does not expressly disclose calculating an expected compliance 
score for a future date in advance. 

Buddie et al. discloses identifying risk issues that need to be resolved in a timely manner. 
Buddie et al. discloses calculating a current compliance score by utilizing the compliance ratings 
and weights. This compliance score allows the user to identify areas with high-risk scores. The 
user may choose to generate an action plan for risk areas that must be resolved, the resolution 
expected by a target date. The system allows the user to track progress and re-calculate the 
compliance score at future dates. The user compares the recalculated score to the original in 
hopes of seeing a decrease. Therefore, it would have been obvious to one of ordinary skill in the 
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art at the time of the invention to allow the user of Buddie et al to project the compliance score 
at the future date utilizing the stored algorithm and data in order to more efficiently communicate 
the progress of action plan to the user, thus allowing the user to more efficiently resolve the issue 
in a timely mariner. See column 1, lines 40-47, which discusses the importance of complying 
with an action plan and see column 10, lines 23-45, which discusses the systems need to drive 
issue resolution and closure in a timely manner. 

20. As per claim 15, Buddie et al. teaches wherein said action plan comprises a signal 
indicating whether said non-fuUy compliant rating is accepted or not accepted, said expected 
compliance score further being a function of said non-fuUy compliant ratings which have been 
accepted (See column 8, line 56-column 9, line 33, wherein the not fiiUy compliant procedure is 
either accepted or not accepted (acted on or not acted on)). 

2 1 . Claim 17, elements a and b, are substantially similar to claim 2 and are rejected using the 
same art and rationale as applied above. Furthermore, element (c) is substantially similar to 
claim 14, element g, and is therefore rejected using the same art and rationale as applied above. 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, TfflS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time poHcy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
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will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1, 136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Beth Van Doren whose telephone number is (571) 272-6737. 
The examiner can normally be reached on M-F, 8:30-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Tariq Hafiz can be reached on (571) 272-6729. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



bvd 

August 9, 2005 




SUSANNA M. DIAZ 
PRIMARY EXAMINER 



